Re: cprng_fast implementation benchmarks

On Fri, Apr 25, 2014 at 01:53:13PM +0000, Paul_Koning%Dell.com@localhost wrote:
>
> Yes, the discussion is about an RNG that is weaker than the existing
> strong RNG. How much weaker is not clear.
There's not a single answer, because the CTR_DRBG is designed to resist
attacks that really don't seem relevant here. It's not a simple
question of whether one cipher is stronger than other.
Even if you compare the core transforms (AES-128 in the case of the
CTR_DRBG vs ChaCha8) it's not at all clear that ChaCha8 is any weaker.
There is not any currently known attack on 8 rounds of ChaCha that is
better than brute force on its 256-bit key. AES-128 is, at best, 128
bits strong.
> that I can?t tell whether it is stronger than the minimum required, or
> weaker than that.
At present, if we are talking simply about the strength of the cipher
itself (rather than about properties such as backtracking resistance)
there's no attack better than brute-forcing the 256 bit key. It seems
to me that is probably good enough.
Thor